Preparing for a black swan cyber event

January 2017 | COVER STORY | RISK MANAGEMENT

Financier Worldwide Magazine

January 2017 Issue

There can be little doubt that cyber breaches are becoming more frequent and cyber criminals are becoming more sophisticated in their techniques. From malware to reconnaissance attacks, and from DoS/DDoS attacks to phishing campaigns, cyber criminals are becoming bolder and more determined by the day.

Unfortunately, they are also finding more success. We need only look at the breaches endured by companies such as Target, Sony and Yahoo to see that cyber crime is prevalent. Indeed, in some circles, arguably, it has become normalised. Society in general is now accustomed to seeing news stories of successful cyber attacks across a variety of countries and sectors.

In light of the snowball effect of cyber criminality, it is imperative that individuals, companies, industries and governments do not accept cyber breaches as merely part of their day to day operations. To defeat cyber criminals, hacktivists and their ilk, it is vital that organisations double down on cyber security provisions and do all they can to protect themselves against a breach. For too long, companies have adopted a ‘it will never happen to us’ approach to cyber security, yet there is a strong chance that a breach will, or has already happened. Many companies are susceptible and suffer a breach without even realising that it has occurred. Once a breach is discovered, the consequences can be costly, both financially and in reputational terms. Customer data, intellectual property, capital and personal information are all at risk once a party has been breached. Accordingly, companies are going to greater lengths to plan for and protect against attacks.

Expecting the unexpected

However, there is an argument that companies should go beyond just conventional planning for a cyber breach and prioritise a different type of defence for something out of the ordinary which might materialise – a black swan cyber event.

History is a littered with black swan events, occurrences which deviate beyond what is normally expected of a situation and which are extremely difficult to predict. Conflicts like World War I, or terrorist strikes such as those that took place on 11 September 2001 in the US, are examples. The 2008 financial crisis is a further example of the devastation that can be wrought by a black swan event.

In the context of corporate cyber risk, companies must also increase their awareness across the board, at all levels of their organisation. Their preparations must include contingency planning for all types of threat, including those that emerge suddenly and cause damage as quickly as possible, or the slower, more insidious threats which fester in the background of a company, or even an entire industry. Failure to consider the various threats companies face and the best way to mitigate them could have disastrous consequences. Thankfully, many companies are learning. Despite the number of attacks we are seeing, cyber defences are becoming more robust as companies begin to appreciate their severity, “The level of cyber security awareness is definitely improving,” says Rob Pritchard, founder of The Cyber Security Expert. “Only a few years ago it would not have featured on the radar of most companies, whereas now it is an issue nearly all organisations take seriously, even if they are not sure what they should be doing.”

Planning for a breach is one of the most important tasks a company can undertake, which is evident in the aftermath of an attack. When an organisation is reeling, it is only then that the importance of its post breach planning will come to the fore. Mark Adair, a senior associate at Mason Hayes & Curran, says, “Companies need to undertake detailed planning. The plans should identify what the company’s high priority data and services are. They should afford these assets extra protection, and make restoring them during or after an attack a ‘priority one’ task. Business continuity plans and disaster recovery plans should not be theoretical – they need to be tested and dry-run at regular intervals and updated following the outcome of the test.”

One measure which is becoming increasingly popular in some markets, including with healthcare providers and hospitals infected by ransomware attacks in the US and Germany, is the removal of some online elements of their services. By taking some critical systems partially offline and embracing more traditional input methods – such as pen and paper – some firms are able to further mitigate the threat of a cyber breach to their systems. While this may be seen as a drastic and last resort measure, it does have its merits. In fact, some companies are now taking the ‘nuclear option’ and are restricting external internet access for staff. This approach is being adopted across many different industries, as cyber criminals look to disrupt critical services and assets. Power grids, for example, are an attractive option for malicious parties looking to cause chaos. In the US, the power grid has become an efficient network of electricity plants, transformers and other key pieces of infrastructure networked together in order to allow the redirection and management of power from those areas with surplus electricity to those in need of power. This interconnectivity, though a boon for those operating the network, also exposes the grid to attack. An attack on Ukraine’s network in 2015 left thousands of customers without power in the dead of winter.

It is imperative that individuals, companies, industries and governments do not accept cyber breaches as merely part of their day to day operations.

For companies and nations, maintaining infrastructure assets cannot be neglected. The onus is on companies to ensure every effort is made to counter the impact of cyber criminality. Also, the role of regulators in this process should not be overlooked. Enforcement activity and fines are likely to be handed down where security is lacking. When protecting critical infrastructure assets, vulnerabilities in software, firmware or hardware need to be addressed. Risk assessments regarding ‘knowable’ or ‘likely’ threats should be carried out and companies need to detect system deficiencies. They must then act based on the likelihood of those threats becoming a reality. Proactive risk mitigation tactics are required, which includes drawing lessons from successful attacks carried out elsewhere.

Evolving threats

Such issues present companies and lawmakers with an interesting dilemma: should companies go ‘retro’ and take parts of crucial networks offline, or should we reject analogue solutions and double down on higher tech tools? Engineering consultancy firms such as Kenexis have developed some cyber security measures which rely on mechanical technology to protect against cyber attack. However, with more of the physical world becoming part of cyber networks, such as the Internet of Things, companies are not being incentivised to pursue alternative forms of security. Though greater connectivity has countless productivity and synergy generating applications, it also presents a risk to the integrity of networks, data and safety.

The increasing digitisation of systems and data is likely to create significant challenges for firms and their security professionals moving forward. “As the world goes even more mobile and digital, the challenges faced by businesses and their security and fraud professionals must not be underestimated,” says Neira Jones, an independent information security and digital innovation adviser. “Indeed, the more and the faster we connect, digitise, innovate and share information, the more risks are introduced as criminals also connect, digitise, innovate and share information. While trying to keep pace with technology, it is frightening to note that businesses have not kept up pace with criminals. For example, as more than a third of global online transactions are now mobile, it is frightening to see that most companies do nothing to protect their mobile apps, or indeed their APIs. We have also recently seen how the IoT can be harvested to launch massive DDoS attacks.”

In recent years, cyber criminals’ methods of attack have become more varied and sophisticated. As Mr Pritchard notes, one of the most dangerous threats companies face today is that posed by ransomware. “This malicious software, which encrypts files and extorts money from the victim in return for providing the key to decrypt, has impacted individuals and small and large businesses. Companies all face this kind of threat, but of course different sectors face different specific threats. Finance companies in particular have to deal with the threat from well organised crime gangs, and attacks like those recently on the SWIFT network,” he adds.

Yet black swan cyber events could take a different approach to more traditional cyber attacks. Most cyber breaches are related to financial gain, be they from hacking groups or disgruntled employees. But perhaps the more dangerous threat is from those actors who seek to bring down an organisation or an entire industry.

Exploring solutions

To maintain a robust, comprehensive cyber network, there are a number of steps organisations can take. “Ensuring you have a well managed network is key,” says Mr Pritchard. “Take seriously the advice to patch and maintain software, and to know what you have installed where. Training users is also key. Users who understand what phishing emails look like, and other cyber security threats, and what they should do in response, are much more likely to keep a company’s data safe.”

When it comes to preparing for a black swan cyber event, the importance of connectivity cannot be underestimated. For Mr Adair, connectivity and cooperation around the types of threats that are emerging, and those that have previously been successful, are vital steps in helping to prevent future attacks. “There are various industry groups convening to share with each other intelligence about potential threats and post-mortems on the outcome of successful attack,” he says. “I believe this collaborative approach can be beneficial but companies need to ensure that they do not share any commercially sensitive or confidential information at these forums. They could also invite cyber security experts to make the meetings more valuable.”

Other experts believe this level of cooperation is crucial. “It is only unfortunate that it has taken massive public exposure to see positive action,” says Ms Jones. “Gottfried Leibbrandt, CEO at SWIFT, rightly said ‘the security of global banking can only be ensured collectively’ and the SWIFT board approved funding for the security programme at the beginning of June 2016 and has made several positive moves since then, so things should be moving reasonably quickly. In the meantime, while organisations continue to present themselves as easy targets to criminals, these types of attacks will still make the news. A lack of information security hygiene, adequate risk management, threat intelligence, governance and effective incident response are generally always the root cause. However, we can see a change in this area with many industries willing to cooperate, such as the automotive industry and the banking sector with the Cyber Defence Alliance.”

Situational awareness is a valuable tool for companies. Previously, true situational awareness has been difficult to achieve due to the reams of data businesses generate through their security tools, infrastructure components, servers and applications. Today, however, companies are able to leverage technology to cut through the noise. Operational tools enable companies to automate monitoring tasks and alert security teams to any anomalous activity that may indicate a breach across a network. These systems, and the security professionals needed to monitor their output and efficiency, are on the frontline in the fight against cyber crime. Situational awareness processes and systems are being used in concert with other, more traditional cyber security measures to enhance success.

Security information and event management products can also be leveraged after an attack, not only to help restore the organisation to a secure operating state, but also to learn from the incident and to better understand how to prevent an outage in the future. Forensic, post incident tools can offer a key insight into what went wrong.

Industry-wide collaboration

Establishing pools of relief funding may be one means by which companies can cooperate with one another to help mitigate the effects of a breach and stop it from escalating into an industry-wide meltdown. Cross industry response teams or organisations, which could take responsibility for regularly monitoring and addressing common cyber threats across a sector, could also help to control a cyber contagion. By cutting a breach off in its formative stages and informing other industry players of a threat, these types of response teams could help to isolate a problem and limit the damage before it spreads.

Once a breach has occurred, industry-wide containment plans, such as taking some elements offline, can help to limit the impact of certain cyber attacks. But this is only possible when companies are willing to work with their competitors as well as regulators, to ensure that in the event of an attack there are clearly established and defined channels and mechanisms for a speedy response.

In today’s increasingly connected and technologically advanced economy, it might seem foolish or backwards to even consider de-networking elements of business operations, but we do not live in ordinary times. Cyber criminals and the actions they take will only become more sophisticated. The implications for businesses, sectors and nations will be exponentially worse as we become increasingly reliant on technological developments to ease our daily lives.

In the US, in 2016 the White House issued its first emergency response manual for a major cyber attack – an important step given the potential risks they pose to national infrastructure networks, economic stability and ultimately human life. Companies would do well to apply the same sort of urgency to their own cyber defences and contingency planning.